Authentication
Before you can start sending requests to the Shippit API, you need to set up your account, and authenticate to the Shippit servers.
Log in to your Shippit account
Before you start, make sure have your Shippit account set up, and you or your Shippit Project Manager have enabled carriers in your Shippit account. When your account is ready, you receive an email that confirms you have access to the platform. Follow the instructions in the email and log in to your Shippit account.
When you are logged in, make sure you have added billing details for your account, and copied your API key. For more information about how to do this, see the Get Started with Shippit APIs article.
API keys and secrets
To use the Shippit APIs, you need an API secret, a confidential value used to authenticate your API requests. To view your API secret, log in to your Shippit account, and navigate to Settings → Integrations.
Authentication header
Shippit’s API uses Bearer authentication. This means you need to include your API Secret in the Authorization header of every request you send. The header should look like this:
Authorization: Bearer YOUR_API_SECRET
Important: Do not include your API Secret directly in the URL of your requests. Doing this is insecure and isn’t supported by Shippit.
Rate limiting
All Shippit APIs are rate limited to 60 requests per rolling 60 seconds per API key. If you exceed this rate you receive a 429 HTTP error. If you want to request a higher rate, contact Shippit support.
Additional request headers
When you use Shippit APIs, we require you to provide additional information in your request headers. This table shows the additional headers that you need to provide:
| Request Header | Purpose | Example | Type and limits | Mandatory? |
|---|---|---|---|---|
user-agent | A string to help identify technical information about the integration. Useful information includes software library names, release versions, and dates. | Shippit_Shipping for Magento2 v1.5.3 | 200 chars | Recommended |
x-shippit-partner | A string to identify the entity developing and maintaining the integration. This could be a business name for self-maintained integrations, or the name of a technical partner maintaining the integration. | Shopify, Wallymart | 200 chars | Optional |
x-shippit-platform | A string identifying the platform or software making the calls. This helps us identify when all integrations on the same platform require action, or who to contact about known issues with a platform type. | Magento v2, CustomShop2000 | 200 chars | Recommended |
Providing this additional information allows Shippit to better support your integration. Information like this allows us to identify which systems are making API requests, and who to contact with important information about specific integrations or platforms.
HTTP authentication
The Shippit staging and production environments are both protected by an HTTPS layer, to ensure that data is passed over an encrypted connection. The SSL certificates are issued by Amazon, which is a trusted CA (Certificate authority), and are automatically renewed every 60 days, before they expire. Because of this renewal mechanism, we do not recommend that you use certificate pinning
Common authentication errors and troubleshooting
If you encounter authentication errors, check these things first:
- Make sure you’re using the correct API secret and that it hasn’t expired.
- Check that the
Authorizationheader is included in your request and formatted correctly. - Make sure you’ve added a valid credit card to your billing details in Shippit.
If you’re still having trouble, check the Troubleshooting section of this guide, or get in touch with your Shippit Project Manager. If you need to contact Shippit Support, use the purple chat icon in the bottom right hand corner of any screen to open our Support portal, or email us.